From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 8 Apr 2010 19:18:30 +0000 (+0100)
Subject: vampire.m4: Remove the magical DNS DDoS hack.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/6d2803b2701d008ffdb6410c775e113f483e92a2

vampire.m4: Remove the magical DNS DDoS hack.

We're going to use fail2ban for this job (and others).  So we don't need
logtrawl any more.
---

diff --git a/local.mk b/local.mk
index 8294782..308f22c 100644
--- a/local.mk
+++ b/local.mk
@@ -7,8 +7,6 @@ HOSTS			+= vampire
 
 ROOT			 = become root
 
-SCRIPTS			+= logtrawl
-
 ## Installation.
 install: all
 	firewall_script=./`hostname`.sh && \
@@ -17,7 +15,7 @@ install: all
 	$(ROOT) ./$$firewall_script
 	for i in $(HOSTS); do \
 	  $(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \
-	  for j in $(SCRIPTS); do \
+	  [ "$(SCRIPTS)" ] && for j in $(SCRIPTS); do \
 	    $(ROOT) ssh $$i <$$j " \
 		cd /usr/local/sbin && \
 		rm -f $$j.new && \
diff --git a/logtrawl b/logtrawl
deleted file mode 100755
index 8153acc..0000000
--- a/logtrawl
+++ /dev/null
@@ -1,27 +0,0 @@
-#! /bin/bash
-
-set -e
-
-## DNS DDOS victims.
-dns_victims=$(
-  sed -n '
-    /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
-  ' /var/log/daemon.log |
-  sort -u |
-  while read addr; do
-    if ! ipset -qT ddos-evil-dns "$addr"; then
-      echo "$addr"
-    fi
-  done
-)
-case "$dns_victims" in
-  "") ;;
-  *)
-    echo 'DNS DDOS victim addresses:'
-    ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
-    for addr in $dns_victims; do
-      echo "  $addr"
-      ipset -A ddos-evil-dns "$addr" || :
-    done
-    ;;
-esac
diff --git a/vampire.m4 b/vampire.m4
index 05a3293..13e37bd 100644
--- a/vampire.m4
+++ b/vampire.m4
@@ -36,18 +36,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### vampire-specific rules.
 
-m4_divert(35)m4_dnl
-errorchain ddos-evil-dns DROP
-## Invalid DNS request with probably-forged sender address, with intent to
-## cause DDOS.
-
 m4_divert(82)m4_dnl
-## Repelling evil DDos attack.
-run ipset -N ddos-evil-dns iphash 2>/dev/null || :
-run iptables -A inbound -g ddos-evil-dns \
-	-m set --set ddos-evil-dns src \
-	-p udp --destination-port $port_dns
-
 ## Externally visible services.
 allowservices inbound tcp \
 	finger ident \